Latest News

RSS Feed

How to Triage Computer Evidence

Written by David Kennedy and David Sun

How to Triage Computer Evidence:
Tackle Moore’s Law with Less

IF YOU PROCESS digital evidence on a day-to-day basis, chances are those days are booked up for weeks to come. How long, on average, does it take your team to analyze the data in a new case? Security, law enforcement, and corporate computer-forensics departments are stretched beyond their resources; reported backlogs of digital evidence vary but they are often in the eight- to 12-month range or more.

Take a quick glance at why these backlogs exist, and it becomes obvious that things will not get better by simply doing more of the same. The rapid growth of digital devices is readily apparent as netbooks, smart phones, and flash drives have joined desktop computers and laptops as standard computing fare. Underneath the plastic and metal bits is the true, less discernible reason for the backlog scramble: the storage capacity of these devices has grown exponentially. Traditionally, the more storage capacity a device has, the longer it takes to analyze it thoroughly.

Blame Moore’s Law—Sort Of

You may have heard of Moore’s Law. Originally, it was a prediction made 45 years ago by Intel co-founder Gordon E. Moore, regarding the growing number of transistors that engineers could cram onto a microchip. Over the years, the interpretation of Moore’s Law has expanded to generally describe other long-term trends in computer development—specifically, computer capacity. The amount of processing speed, memory, and digital-storage capacity per dollar spent have approximately doubled every two years.

Let that settle in for a moment:

Digital-storage capacity has approximately doubled every two years.

If a corporate or law-enforcement department with four computer-forensics specialists was able to keep up with new evidence in a timely manner four years ago, it would have required nearly double the manpower two years later to do the same work in the same amount of time. In other words, that department would now require eight employees. Fast-forward another two years, and that same department would need 16 computer-forensics experts to handle the same load. Assuming a status-quo approach to the problem, in another two years, you will need 32 experts to perform in the same capacity.

How many departments have computer-forensics budgets that can keep up with an 800-percent increase in personnel over a six-year period? It simply is not feasible, which is why we are where we are today.

Eenie-meenie-miney-Moore:
Triage away the irrelevant

If storage capacity creates a problem for thoroughly analyzing evidence, it may be time to analyze less evidence—or at least prioritize the evidence to determine what gets attention first. Among the piles of laptops, desktops, and netbooks, which device is most likely to contain the critical details needed to build your body of evidence?

Hospitals and medical clinics have managed a very similar problem. In high-volume periods of time, care providers are forced to ask, “Who needs valuable resources first?” Patients’ symptoms are assessed as soon as they walk though the door.

Patients are not seen by doctors on a first-in, first-out basis. How often does someone who needs earwax removed see a doctor ahead of the guy with the broken arm? Chances are a clogged ear will not find its way to a doctor at all; the nurses are more available and they can readily handle this case. Patients are sorted by the severity of their condition, and resources are applied first where they are needed most.

This is triage in action.

Out of the hospital...
and back to the crime scene

Ready to tackle that computer-evidence backlog? With a triage procedure and the right tools in place, first responders can perform a preliminary review on site. With an ideal tool, investigators can prioritize evidence by likelihood of relevancy.

Consider a crime scene that has 20 computers. If only three of those computers contain relevant data, a well-executed triage will prioritize those three above the others for a computer-forensics analyst’s precious time back in the lab. Seventeen of those computers may never need more than the preliminary triage.

There are a couple of tools already on the market that are being leveraged for different computer-evidence triage strategies. Many factors go into crafting a triage procedure. From here on out, this article will focus on considerations for choosing the tools for your new computer-evidence preliminary-assessment plan.

A quick disclaimer: We are operating under the assumption that installing software on the computer about to be examined is a bad idea. While conventional free software (Google Desktop, for example) enables some of the search and preliminary analysis capabilities we are about to talk about, installing software directly onto a suspect machine may overwrite the evidence you are trying to capture. Other options that do not “leave a trace” are rapidly dropping in price with new players on the field, making it increasingly easier to avoid software installation on evidentiary media simply as a means of cutting costs.

BitFlare, by SunBlock Systems, is a freely available CD that can be downloaded directly from their website. Suspect machines are booted off of this CD. Extracted evidence is saved on standard, readily available external USB hard drives. There are no up-front software license fees; users are able to perform a high-level examination for free, and only pay to document and extract relevant results. www.bitflare.com

COFEE (Computer Online For-ensic Evidence Extractor), by Micro-soft, is a USB-drive solution that is available for law enforcement. After registering, you can download the program and save it on as many USB flash drives as you would like. It is essentially a collection of tools available publicly for download from the Microsoft website enabling the collection of files and operating-system data from the computer. www.microsoft.com

EnCase Forensic, by Guidance Soft-ware, has been used in the past by trained forensic investigators in “Preview Mode” on site to assist with triage. The computer-forensics product is aimed at professionals and is a staple in the industry. However, some consider it ill-suited for onsite triage, as the license dongle is limited to one machine at a time. www.guidancesoftware.com

EnCase Portable was recently released by Guidance Software, partially to address the first-responder limitations of EnCase Forensic. Users can purchase an EnCase Portable package that includes USB Hub, CD, and dongle kit. www.guidancesoftware.com

Triage-ID is one component of several offerings from ADF Solutions. Groups can license copies of the software. The license itself resides on a USB dongle. Much like BitFlare, suspect machines can be booted off a CD. Unlike EnCase Portable, the dongle is not limited to one machine at a time. www.adfsolutions.com

Qualities to consider
when choosing your triage toolkit

A triage tool needs to allow for preliminary analysis. Welcome to our most obvious requirement: You must be able to quickly assess what is on the machine! You will want to be able to leverage the machine’s computing power itself. To simplify the process, you will want to avoid removing the hard drive. Key-word searching and file-metadata analysis are typical tools found in computer forensic software, and your triage tool should offer no less than these capabilities.

Several options are designed for you to run the software directly on the computer. BitFlare and Triage-ID each contain their own operating systems and boot off of a CD. After inserting the disk and powering it up, the suspect computer will serve as your triage platform onsite or back at the laboratory. EnCase Portable can be run on the machine while it is running, or you can boot up the suspect computer with an included CD. Traditionally, while some computer-forensics teams have been dabbling in triage and have used EnCase Forensic in Preview mode, the industry (and Guidance Software itself, with its release of EnCase Portable) should move past this. This method requires you to install the program onto the suspect computer’s hard drive, or remove the hard drive and connect it to another machine.

Given the ever-increasing amounts of data on hard drives, keyword search-ing is a critical component of sifting through the bytes. Keywords also play a crucial role in triaging an incident. If you are investigating a kidnapping and are triaging 100 computers in a school, which ones will you review? Try search-ing for the individual’s e-mail address on each one. If only one or two computers contain hits for that keyword, you have very effectively narrowed your scope.

More powerful keyword searches, called regular expressions, can locate patterns of data, such as Social Security, credit card, and phone numbers. This additional search feature is commonly available in new computer-forensics triage software, but it is worth noting this feature in the event that it is missing from your triage software of choice.

Reviewing file listings and associated metadata can quickly build a general overview of what has been happening recently on a machine. Metadata includes characteristics such as file type, the number of times the file was modified or accessed, file size, and where on the computer the file is located. If you are responding to an incident that occurred that day, could files deleted that morning be of interest? If you are interested in utilizing this capability in the field, neither EnCase Portable nor Microsoft’s COFEE allow for in-situ review of the entire drive. BitFlare will, and provides broad categories to filter by such as image and video files, or Microsoft Office files.

Quickly access the “forensic” areas of digital evidence. You may already know that a good deal of the data on a computer hard drive is not merely found in files. While a myriad of technical terms such as slack space, unallocated space, and boot partitions define specific areas of a hard drive not defined by the file system, we can generally bundle them all together and refer to them as forensic areas. Ignoring these forensic areas has been one approach some have taken when looking to improve turnaround times. Analyzing this information is becoming easier and easier. Do not pass it up!

There is a laundry list of potentially relevant data in these forensic areas. When a file is deleted, oftentimes pieces of it are left on the hard drive—and sometimes several copies are scattered about. Many Internet browsers create temporary files when viewing a web page, only to delete them later. These webpage fragments can contain key information, including banking statements as well as e-mails read and sent over popular web-mail services. If you are in computer forensics, you have likely run across many suspects who turn to web mail for its perceived privacy. Currently, neither EnCase Portable nor COFEE accesses this part of the hard drive; BitFlare and Triage-ID offer keyword searches aimed primarily at carving data from these forensic areas.

Your tool should not limit the scope of your triage. When it comes to triage-capable software options, there are several different licensing models available. Depending on the volume of evidence and your triage-procedure goals, differing models can impact your ability to work. Most dongle-based licensed products, such as EnCase Forensic or EnCase Portable, will limit the number of machines you can analyze at one time by the number of licenses you purchase. As long as the machines you are triaging are in the same location, Triage-ID does allow for parallel processing; its software dongle is only required at boot-up. BitFlare operates completely dongle-free and is limited only by the number of BitFlare CDs available (or CD-Rs, if you have a burner on hand).

Triage with your nurses, not your doctors. In the old days, doctors made house calls: one patient examined by one doctor. The triage approach at hospitals works so well because positions requiring less training—such as front-desk receptionists or nurses or students-in-residency—help handle patients’ needs when they do not require the doctor’s attention. When implementing electronic-evidence triage, you will want to leverage less resource-intensive employees, as well.

Many of the newer computer-forensic triage tools on the market today are specifically aimed at minimizing the amount of training needed for usage. Most solutions have been designed to easily deploy the solution on the evidentiary machine, regardless of the user’s level of training.

BitFlare’s interface is even wizard-driven: it uses a step-by-step process for extracting data, complete with Next and Back buttons. Data extraction is driven by selecting Evidence Discovery Packs, or EDPs, off of their website. The website builds the queries customized for the matter on hand. The process is about as complicated as adding a video to a NetFlix queue.

Forensic-imaging capability is a must. Triaging a situation will not always be perfect. Ongoing investigations continually generate new leads and relationships.

If you cannot always seize and store all of the computers throughout the duration of your investigation, you will need a tool that will forensically preserve the computer. A forensic preservation creates a perfect copy of the data, including forensic areas, just as it is on the computer in question.

BitFlare, Triage-ID, EnCase Portable, and EnCase Forensic will all allow you to create forensic copies on-site. EnCase Portable produces images in its proprietary EWF format, and generally requires EnCase Forensic or another Guidance Software tool for further analysis. BitFlare’s images are produced in an encrypted format, enabling security of data during transit and third-party verification of evidence.

Defense, defense, defense!

As with any evidence, be sure that your tool is properly documenting what evidence it extracts and that all of the files extracted are verifiable. Without a strong chain of custody, what good is having the evidence? This is especially true when handling extracted files as computer evidence. For example, consider a confession as evidence. If someone writes it out by hand, can you tell if someone added the word “not” to the sentence “I did do it”? If the evidence is an extracted text file, can you tell if someone made the same change?

Nearly all tools that were specifically designed for computer forensics do this to some degree. Ensure that digital signatures (such as MD5 or SHA-256) are calculated for all extracted files.

What next?

Choosing the right set of tools is only a part of a successful triage strategy. Different organizations are going to have different needs and resources available, and new tools may be available on the market even as this article is hitting the press. Your computer-forensics experts already on hand will offer valuable insight into the challenges their particular group faces. If you are in law enforcement, is it acceptable to use an approach that does not fully examine all evidence? If you are working with a team that investigates issues within your corporation, is it a viable solution to bring IT staff from outside to assist with a triage?

The problem can be a big one to tackle, and different groups will ultimately deploy different policies that will mature over time and with experience. The nature of digital evidence, however, is unlikely to change. It will merely continue to explode, and a strong understanding of desired qualities for a triage tool will aid you regardless of other tactical decisions that may be made going forward.

About the Authors

David Sun is the founder and president of SunBlock Systems, a privately held computer-forensics and investigation firm. Sun holds numerous certifications in computer forensics and information security, and has conducted hundreds of computer examinations all over the world. He is also an adjunct professor at George Mason University, and he holds multiple patents for inventions in the field of computer forensics. To learn more about Sun and SunBlock Systems visit: www.sunblocksystems.com